Vulnerability CVE-2013-3582


Published: 2013-08-28   Modified: 2013-08-29

Description:
Buffer overflow in Dell BIOS on Dell Latitude D###, E####, XT2, and Z600 devices, and Dell Precision M#### devices, allows local users to bypass intended BIOS signing requirements and install arbitrary BIOS images by leveraging administrative privileges and providing a crafted rbu_packet.pktNum value in conjunction with a crafted rbu_packet.pktSize value.

Type:

CWE-119

(Improper Restriction of Operations within the Bounds of a Memory Buffer)

Vendor: DELL
Product: Latitude d530 
Product: Latitude d 
Product: Precision m6300 
Product: Latitude e6500 
Product: Latitude e5400 
Product: Latitude d630 
Product: Latitude xt2 
Product: Precision m6500 
Product: Precision m2400 
Product: Latitude e6400 
Product: Latitude d830 
Product: Precision m 
Product: Precision m4400 
Product: Latitude e6400 atg xfr 
Product: Latitude e4300 
Product: Latitude d531 
Product: Latitude e 
Product: Precision m6400 
Product: Precision m2300 
Product: Latitude e5500 
Product: Latitude d631 
Product: Latitude z600 
Product: Precision m4300 
Product: Latitude e6400 atg 
Product: Latitude e4200 

CVSS2 => (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.6/10
10/10
4.9/10
Exploit range
Attack complexity
Authentication
Remote
High
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://www.kb.cert.org/vuls/id/BLUU-99HSLA
http://www.kb.cert.org/vuls/id/912156
https://www.blackhat.com/us-13/archives.html#Butterworth
https://media.blackhat.com/us-13/US-13-Butterworth-BIOS-Security-WP.pdf
https://media.blackhat.com/us-13/US-13-Butterworth-BIOS-Security-Slides.pdf

Related CVE
CVE-2019-3744
Dell/Alienware Digital Delivery versions prior to 4.0.41 contain a privilege escalation vulnerability. A local non-privileged malicious user could exploit a Universal Windows Platform application by manipulating the install software package feature w...
CVE-2019-3742
Dell/Alienware Digital Delivery versions prior to 3.5.2013 contain a privilege escalation vulnerability. A local non-privileged malicious user could exploit a named pipe that performs binary deserialization via a process hollowing technique to inject...
CVE-2019-3717
Select Dell Client Commercial and Consumer platforms contain an Improper Access Vulnerability. An unauthenticated attacker with physical access to the system could potentially bypass intended Secure Boot restrictions to run unsigned and untrusted cod...
CVE-2019-3741
Dell EMC Unity and UnityVSA versions prior to 5.0.0.0.5.116 contain a plain-text password storage vulnerability. A Unisphere user?s (including the admin privilege user) password is stored in a plain text in Unity Data Collection bundle (logs files fo...
CVE-2019-3734
Dell EMC Unity and UnityVSA versions prior to 5.0.0.0.5.116 contain an improper authorization vulnerability in NAS Server quotas configuration. A remote authenticated Unisphere Operator could potentially exploit this vulnerability to edit quota confi...
CVE-2019-12280
PC-Doctor Toolbox before 7.3 has an Uncontrolled Search Path Element.
CVE-2019-3735
Dell SupportAssist for Business PCs version 2.0 and Dell SupportAssist for Home PCs version 2.2, 2.2.1, 2.2.2, 2.2.3, 3.0, 3.0.1, 3.0.2, 3.1, 3.2, and 3.2.1 contain an Improper Privilege Management Vulnerability. A malicious local user can exploit th...
CVE-2019-3737
Dell EMC Avamar ADMe Web Interface 1.0.50 and 1.0.51 are affected by an LFI vulnerability which may allow a malicious user to download arbitrary files from the affected system by sending a specially crafted request to the Web Interface application.

Copyright 2019, cxsecurity.com

 

Back to Top